Potential fix for pull request finding 'CodeQL / DOM text reinterpreted as HTML'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: samejr

apps/webapp/app/components/navigation/NotificationCard.tsx

@@ -3,6 +3,23 @@ import { useLayoutEffect, useRef, useState } from "react";
 import ReactMarkdown from "react-markdown";
 import { cn } from "~/utils/cn";
 
+function sanitizeActionUrl(url?: string): string | undefined {
+  if (!url) return undefined;
+  const trimmed = url.trim();
+  if (!trimmed) return undefined;
+
+  try {
+    const parsed = new URL(trimmed, window.location.origin);
+    if (parsed.protocol === "http:" || parsed.protocol === "https:") {
+      return parsed.toString();
+    }
+  } catch {
+    return undefined;
+  }
+
+  return undefined;
+}
+
 export function NotificationCard({
   title,
   description,
@@ -23,6 +40,7 @@ export function NotificationCard({
   const [isExpanded, setIsExpanded] = useState(false);
   const [isOverflowing, setIsOverflowing] = useState(false);
   const descriptionRef = useRef<HTMLDivElement>(null);
+  const safeActionUrl = sanitizeActionUrl(actionUrl);
 
   useLayoutEffect(() => {
     const el = descriptionRef.current;
@@ -50,9 +68,9 @@ export function NotificationCard({
 
   return (
     <div className="group/card relative overflow-hidden rounded border border-charcoal-650 bg-charcoal-700/50 shadow-lg">
-      {actionUrl && (
+      {safeActionUrl && (
         <a
-          href={actionUrl}
+          href={safeActionUrl}
           target="_blank"
           rel="noopener noreferrer"
           aria-label={title}